ci: scout compare #88
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
on: | |
pull_request: | |
paths: | |
- .github/workflows/pr_image.yml | |
- Dockerfile | |
- config/version.json | |
- script/docker-entrypoint.sh | |
- script/set_environment_variables.sh | |
workflow_dispatch: | |
jobs: | |
test_image: | |
permissions: | |
packages: write | |
contents: read | |
# pull-requests write permission is needed for the docker/scout-action to write a comment | |
pull-requests: write | |
# security-events write permission is needed for github/codeql-action/upload-sarif to upload SARIF results | |
security-events: write | |
runs-on: ubuntu-22.04 | |
env: | |
IMAGE_REPOSITORY_NAME: flutter-android | |
ANDROID_BUILD_TOOLS_VERSION: 30.0.3 | |
VERSION_MANIFEST: config/version.json | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 | |
- name: Login to Docker Hub | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 | |
with: | |
username: ${{ secrets.DOCKER_HUB_USERNAME }} | |
password: ${{ secrets.DOCKER_HUB_TOKEN }} | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ github.token }} | |
- name: Read environment variables from version.json | |
env: | |
GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }} | |
run: ./script/set_environment_variables.sh | |
- name: Load image metadata | |
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5 | |
id: metadata | |
with: | |
images: | | |
${{ env.IMAGE_REPOSITORY_PATH }} | |
ghcr.io/${{ env.IMAGE_REPOSITORY_PATH }} | |
quay.io/${{ env.IMAGE_REPOSITORY_PATH }} | |
tags: | | |
type=raw,value=${{ env.FLUTTER_VERSION }} | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3 | |
- name: Build image and push to local Docker daemon | |
uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5 | |
with: | |
load: true | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
labels: ${{ steps.metadata.outputs.labels }} | |
tags: ${{ steps.metadata.outputs.tags }} | |
target: android | |
build-args: | | |
flutter_version=${{ env.FLUTTER_VERSION }} | |
fastlane_version=${{ env.FASTLANE_VERSION }} | |
android_build_tools_version=${{ env.ANDROID_BUILD_TOOLS_VERSION }} | |
android_platform_versions=${{ env.ANDROID_PLATFORM_VERSIONS }} | |
# TODO: Parallelize testing and vulnerability scanning | |
- name: Scan with Docker Scout | |
id: docker-scout | |
uses: docker/scout-action@e71a6e518e912cc9094cb8c89e29bb0dcef01668 # v1 | |
with: | |
command: compare,cves,recommendations | |
image: "" | |
# github-token is needed to be able to write the comment | |
github-token: ${{ github.token }} | |
organization: ${{ secrets.DOCKER_HUB_USERNAME }} | |
sarif-file: output.sarif.json | |
to-env: prod | |
- name: Upload scan results to the GitHub Security tab | |
uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3 | |
with: | |
sarif_file: output.sarif.json | |
- name: Test image | |
uses: plexsystems/container-structure-test-action@c0a028aa96e8e82ae35be556040340cbb3e280ca # v0.3.0 | |
with: | |
image: ${{ fromJSON(steps.metadata.outputs.json).tags[0] }} | |
config: test/android.yml |